Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from March 21 to 28.
Our favorite 5 hacking items
1. Vulnerabilities of the week
Spring4Shell & CVE-2022-22963 – Java 0-days in Spring
There is a lot of chatter about 0-days in Spring and some confusion because there isn’t one but two vulnerabilities:
- Spring4Shell is a severe RCE via insecure deserialization in Spring Core. It is exploited in the wild, was leaked by a Chinese-speaking researcher, does not have a patch nor a CVE yet.
- CVE-2022-22963 is a less severe and patchable SPEL Expression Injection in Spring Cloud Function.
Some say it is the new Log4shell and others say there is no need to panic about Spring4Shell as it is only exploitable in certain configurations. Until we know more, here are some good resources to dive into both vulnerabilities:
- Spring4Shell analysis by LunaSec, Rapid7, Cyber Kendra & SANS ISC
- Non intrusive Spring4Shell PoC
- CVE-2022-22963 advisory
- CVE-2022-22963 Nuclei template
2. Writeups of the week
Ruby Deserialization – Gadget on Rails (Ruby on Rails)
PHP filter_var shenanigans
@httpvoid0x2f‘s latest writeup is a deep dive into insecure deserialization in Ruby/Rails. They go over the current state of ruby deserialization gadget chains, and show how they discovered a new RCE gadget for the latest version of Rails.
The second writeup is about a vulnerability in PHP that allows circumventing filter_var() in some cases. There are some limitations but it is interesting to see @pwningsystems‘s process for finding this, and it is a good research opportunity as @albinowax pointed out.
3. Videos of the week
🎙️ HTB Stories #8: Bug Bounties 101 w/InsiderPhD
rootxharsh Talks About Recon, Finding A $50,000 Remote Command Execution in Apple, and more!
@InsiderPhD and @rootxharsh are two of my favorite hackers.
@rootxharsh is part of HTTPVoid, a crew of bug hunters who have been putting out amazing writeups lately like the Ruby Deserialization bug mentioned above.
And @InsiderPhD juggles between multiple specialties and often shares cool productivity tips in addition to technical content.
So, these interviews are a nice opportunity to get to know them more and pick up some useful insights on how they think and hack.
4. Article / Tool of the week
Bypassing CDN WAF’s with Alternate Domain Routing & CDN Proxy
@Ryan_Jarv shares a really cool attack and tool for bypassing WAFs.
The tool currently supports CloudFlare and CloudFront, with two prerequisites: Knowing the server’s origin IP and that the Web app is accessible from the CDN’s shared IP range.
In these conditions, the “Alternate Domain Routing” attack allows you to completely bypass the CloudFlare or CloudFront WAF, access the server directly and bypass any IP restrictions or rate limiting.
5. Conference of the week
Practical Cryptography for Infosec Noobs & Slides
This is an awesome talk if you want to learn practical cryptography, beyond the easy or unrealistic challenges found in many CTFs.
@mubix demonstrates how to identify and decrypt random data in real life, for example during pentesting or bug hunting when you don’t even know the type of cryptography used.
Other amazing things we stumbled upon this week
- PHP Type Juggling – Why === is Important – Sponsored Content
- # CODE INJECTION via a VULNERABLE TEMPLATE ENGINE!
- Forward Shell
- Deep dives on David Dombal’s Youtube channel on Traceroute, Nmap, TCP/IP & SSL/TLS
- Bishop Fox Tool Talks: Episode 3: Nuclei Episode, Episode 2: Fuzzing & Episode 1: Eyeballer
- Tactical Burpsuite – Kevin Johnson & Nathan Sweaney
Slides & Workshop material
- Understanding Windows Lateral Movements
- Insomni’Hack 2022:
Medium to advanced
- Cloud-based DNS monitoring with IPinfo Enrichment & TL;DR
- Whitepaper – Double Fetch Vulnerabilities in C and C++
- What to look for when reviewing a company’s infrastructure
- Supply Chain Attack as Code
- Azure Dominance Paths
- C++ Memory Corruption (std::string) – part 4
- I’ve been Hacking for 10 Years! (Stripe CTF Speedrun)
- HackTheBox – Secret
- SANS Holiday Hack Challenge 2021
- Liikt1337 – Hacking the hacker – 1337UP LIVE CTF challenge writeup
- Overflows in PHP?! Solution to March ’22 XSS Challenge & Winners
- Authentication bypass using root array
- Reports from the Field: Part 3
- How Clubhouse user scraping and social graphs
Responsible(ish) disclosure writeups
- ImpressCMS: from unauthenticated SQL injection to RCE #Web
- Finding bugs to trigger Unauthenticated Command Injection in a NETGEAR router (PSV-2022–0044) #Web #Router
- CVE-2022-26318 – Unauthenticated RCE in WatchGuard Firebox and XTM appliances
- CVE-2021-43008 – AdminerRead
- Using the Dirty Pipe Vulnerability to Break Out from Containers & PoC
- CVE-2019-0708 (BlueKeep) pre-auth RCE POC on Windows7
Bug bounty writeups
- One company: 262 bugs, 100% acceptance, 2.57 priority, millions of user details saved.
- Unauthenticated Remote Code Execution in Cisco Nexus Dashboard Fabric Controller (formerly DCNM)
- Basic recon to RCE II
- HTML parser bug triggers Chromium XSS security flaw (Google Chromium, $5,000)
- When Equal is Not, Another WebView Takeover Story
- Able to steal bearer token from deep link (Basecamp, $6,337)
- 0-day Cross Origin Request Forgery vulnerability in Grafana 8.x . (Aiven Ltd, $1,500)
See more writeups on The list of bug bounty writeups.
- Go Decrypt Jenkins: Simple tool to decrypt Jenkins encrypted strings
- Spellbook: Framework for rapid development and reusable of security tools
- HTTP CL.TE & TE.CL Desync Calculator: Perform TE.CL HTTP Request Smuggling attacks by crafting HTTP Request automatically
- Right-To-Left Override POC & Initial Access – Right-To-Left Override [T1036.002]
Tips & Tweets
- Insightful tips @SecGus after triaging bugs for 5 months
- Git Temporal VSCode extension + @trick3st Inventory = asset timeline tracking
- @hacker_ on why/how “Anyone can hack”
- Using Nuclei (with default templates) is a competitive disadvantage
- @hacker_’s roadmap to develop your technical skills
- @Masonhck3571 on “Is it tool late to do bug bounty?”
- 403 bypass by appending unusual characters at the end of file names
Misc. pentest & bug bounty resources
- RegexPassive: Collection of regexp pattern for security passive scanning
- Find-gh-poc: The centerpiece of the trickest/cve project; finds CVE PoCs on Github
- Cloud Hacking Playbook ($25)
- The DOs and DON’Ts of Secure Coding
- Best platforms to learn ethical hacking!
- BreakingFormation: Technical Vulnerability Walkthrough
- LDAP relays for initial foothold in dire situations
- 2022 Threat Detection Report by Red Canary
- Analyzing the Attack Landscape: Rapid7’s 2021 Vulnerability Intelligence Report
Bug bounty & Pentest news
- Bug bounty
- Upcoming events
- Finding bugs with Nuclei with PinkDraconian (Robbe Van Roey) (April 3)
- APIsecure (April 6 & 7)
- Tool updates